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User device is coupled to port of 
network access device 
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Network access device authenticates 
physical (MAC) address of the user 

device 
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Is physical (MAC) 
address valid? 



No 



Drop packets or 
disable port 
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.Yes 



Network access device authenticates 
user of the device based on information 
provided by the user 
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Block all traffic on 

port except for 
packets related to 
user authentication 
protocol 
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No user policy is 
assigned 
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Does network 
access device have 
enough system resources to 
dynamically configure the 
user policy? 



No ^ 



Block all traffic on port 
except for packets 
related to user 
authentication protocol 
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Dynamically assign user policy to port and restrict 
further traffic in accordance with policy 



FIG. 3 



i>heet4ot o 

^ppl. No. To Be Assigned; Filed: September 4, 2003 

)kt No 1988.01 80000; Group Art Unit: To Be Assigned 

a ventor(s):PiHpKWANetal.; Tel: 202/371-2600 

'itle Multiple Tiered Network Security System, Method 

md Apparatus Using Dynamic User Policy Assignment 



"O 

s 

CO 

CO 
I 

CO 

o 

CO 

o 



400 



Enable physical (MAC) address 
authentication for one more more ports 
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Set a maximum number of secure MAC 
addresses for a port 
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Set age timer for MAC address 
authentication 
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Specify secure MAC addresses 
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Configure switch to automatically save 
secure MAC addresses to a startup 
configuration file 
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Specify action taken when a security 
violation occurs 
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User device attempts to access network \/~\J 
via port o f network access device 
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Network access device places 802. 1x client 
software on user device into an unauthorized state 
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Network access device sends EAP message to user|/"\_/ 
device requesting the identify of the user 
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User credentials are provided to user device and 
sent to network access device 
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Network access device forwards user credentials to authentication server 
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Authentication server performs algorithm to 
authenticate user based on user credentials 
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Authentication server returns an accept or reject 
message back to network access device 
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Accept 
message receive< 
>y network access 
device? 

Yes 

User policy 
provided with accept 
message? 



No 



Block all traffic on port 
except for 802. 1X 
control packets 
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No 



No uer policy is 
assigned to port 
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Yes 

Is 

user policy 
.valid?. 



524 



No 



Yes 

Does 

"network access device have' 
enough system resources to 
dynamically configure the 
user policy? 

Yes 



Block all traffic on port 
except for 802.1 x 
control packets 



No 
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Block all traffic on port 
except for 802.1 x 
control packets 
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Dynamically assign user policy to port and 
restrict further traffic in accordance with policy 
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